This post is about encountering an AppGW HTTP error 403 while attempting to access a site published through Azure Application Gateway v2 with WAF enabled,
Upon reviewing the AppGW logs (category== ApplicationGatewayFirewallLogs), noticed the error was specific to a single client IP and in error msg related detail there was mention of browser cookies. looking at this recommended the user to try accessing the site using a different browser (previously Google Chrome) and the site was accessible.
Following that, we updated Google Chrome to the latest version and rechecked and this time, we encountered no errors, and the site was accessible without any issues.
The main takeaway here is that outdated browsers can sometimes trigger the web application firewall to block incoming requests. Therefore, if you come across the related indication in the AppGW logs then check the url using a different browser also the version of the browser in question and update it to the latest.
Related sample kql query to use for AppGW logs,
AzureDiagnostics
| where TimeGenarated > ago(1h)
| where Category== "ApplicationGatewayFirewallLog"
| where clientIp_s== "<required sourceIP" and requestUri_s contails "/path in your case"
In my case, extract from query output,
Message: Detects MySQL comment-/space-obfuscated injections and backtick termination
OWASP CRS ruleSetVersion_s: 3.2
ruleGroup_s: REQUEST-942-APPLICATION-ATTACK-SQLI
details_message_s: Pattern match (?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f"'`]["'`](?:["'`].*?["'`]|(?:\r?\n)?\z|[^"'`]+)|\Wselect.+\W*?from)) at REQUEST_COOKIES.
details_data_s: {,"campaigns":{"34645675687werwe4567rit6":{ found within [REQUEST_COOKIES:ORA_PERS:{"ids":["-23434645757657"],"campaigns":{"":{"activeBlocks":["c1","C2","C3","C4"],"pointer":"E1","event":"-687897890978860392"}}}]}
If you're interested in learning more about HTTP error codes, you can explore the following links:
HTTP response codes in Application Gateway
I hope you find this information useful. Thank you!
No comments:
Post a Comment